2019-001: OWASP IoT Top 10 discussion with Aaron Guzman
Published January 14, 2019
|
36 min
    Download
    Add to queue
    Copy URL
    Show notes

    Aaron Guzman: @scriptingxss

    https://www.computerweekly.com/news/252443777/Global-IoT-security-standard-remains-elusive

    https://www.owasp.org/index.php/IoT_Attack_Surface_Areas

    https://scriptingxss.gitbooks.io/embedded-appsec-best-practices//executive_summary/9_usage_of_data_collection_and_storage_-_privacy.html

    OWASP SLACK: https://owasp.slack.com/

    https://www.owasp.org/images/7/79/OWASP_2018_IoT_Top10_Final.jpg

    Team of 10 or so… list of “do’s and don’ts”

    Sub-projects? Embedded systems, car hacking

    Embedded applications best practices? *potential show*

    Standards: https://xkcd.com/927/

    CCPA:  https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act

    California SB-327: https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327

    How did you decide on the initial criteria?

    1. Weak, Guessable, or Hardcoded passwords
    2. Insecure Network Services
    3. Insecure Ecosystem interfaces
    4. Lack of Secure Update mechanism
    5. Use of insecure or outdated components
    6. Insufficient Privacy Mechanisms
    7. Insecure data transfer and storage
    8. Lack of device management
    9. Insecure default settings
    10. Lack of physical hardening

    2014 OWASP IoT list: https://www.owasp.org/index.php/Top_10_IoT_Vulnerabilities_(2014)

    2014 list:

    BrakeSec Episode on ASVS http://traffic.libsyn.com/brakeingsecurity/2015-046_ASVS_with_Bill_Sempf.mp3

    OWASP SLACK: https://owasp.slack.com/

    What didn’t make the list? How do we get Devs onboard with these?

    How does someone interested get involved with OWASP Iot working group?

    https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-best-practices

    https://www.iiconsortium.org/pdf/SMM_Description_and_Intended_Use_2018-04-09.pdf

    https://www.dhs.gov/sites/default/files/publications/Strategic_Principles_for_Securing_the_Internet_of_Things-2016-1115-FINAL_v2-dg11.pdf

    https://api.ctia.org/wp-content/uploads/2018/08/CTIA-IoT-Cybersecurity-Certification-Test-Plan-V1_0.pdf

    https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747977/Mapping_of_IoT__Security_Recommendations_Guidance_and_Standards_to_CoP_Oct_2018.pdf

     

    https://www.mocana.com/news/mocana-xilinx-avnet-infineon-and-microsoft-join-forces-to-secure-industrial-control-and-iot-devices

     

    https://www.microsoft.com/en-us/research/wp-content/uploads/2017/03/SevenPropertiesofHighlySecureDevices.pdf

      15
      15
        0:00:00 / 0:00:00